Policing
Connectivity
by Ben Bradley
Can’t keep up with the network
security challenges in your business? Try policing the vulnerabilities
of 650 autonomous businesses. Here’s how one company uses
regular vulnerability scanning to enforce a consistent network security
policy across 650 business units.
The small corporate headquarters of Illinois Tool Works Inc. (ITW)
orchestrates the diverse activities of 650 decentralized business
units employing 49,000 men and women in 49 countries.
Decentralization and aversion to overhead are ITW’s mantra.
With little corporate infrastructure imposed on the individual business
units, each operates autonomously with little extra overhead. In
fact the individual business units operate with as much freedom
as their entrepreneurial competitors and are responsible for most
of their own IT decisions.
Because of the hands-off and decentralized role played by the corporate
headquarters, ITW’s corporate IT operations are managed by
a very small IT staff plus an outsourced team of several individuals
responsible for help desk, e-mail and network security.
No matter how hands-off, maintaining and enforcing a consistent
network security policy across all business units is vital to efficient
network operations. Communicating and enforcing this policy, without
imposing unnecessary “corporate baggage” on the individual
business units is one of Gary Anton’s jobs. According to Anton,
ITW’s Vice President of strategic sourcing and IT, corporate
does not make IT decisions for each of the business units. “They
know what kind of systems they need better than we do. Our job is
to define policy, provide stability and guidance and make decisions
for anything that touches the worldwide corporate network.”
ITW’s worldwide corporate network utilizes a massive, carrier-agnostic
VPN that connects all 650 business units to the financial reporting,
HR and e-mail services (hosting, spam and virus filtering).
UNAUDITED CONNECTIONS SLOW NETWORK
Early on, a number of un-audited connections to the worldwide corporate
network caused a number of problems. “Some business units
were not up to date on patches and virus protection. Some had poorly
configured security and network hardware,” said Anton.
When ITW connected these business units to the corporate VPN, the
un-audited connections slowed the corporate network with worms,
viruses and Trojans.
“When the VPN went live, three or four business units had
significant network issues that were affecting other units on the
VPN.” said Anton. “Almost immediately we were fighting
fires. It didn’t take long to understand the dollar impact
of these kinds of vulnerabilities.”
Staying ahead of the vulnerabilities in 650 different business
units could become an incredibly costly and complicated effort.
After fighting these fires, the search began first for tools that
impose and enforce consistent security standards without asking
the business units to install new software or absorb additional
overhead. Next, ITW sought ways to proactively improve their network
security over time.
To do this, ITW needed a clear security standard and a way to audit
compliance to that standard. According to Anton, “we needed
a way to discover and audit network assets, understand and prioritize
current network vulnerabilities, then track and manage the remediation
efforts over time.”
SELLING THE SOLUTION
Convincing the ITW Corporate executive team and each of the business
unit controllers and IT staff that worldwide security standards
were necessary was easier than anticipated.
“We didn’t use fear to sell this project,” said
Anton. “All our executives and business unit management were
aware of what happens when critical systems are disabled. They understand
the potential dollar impact when orders can’t be received
and goods can’t be shipped.”
After the executive team gave the go-ahead for implementing and
enforcing a consistent security policy, the first task was a complete
discovery of all network assets. With 650 business units touching
the corporate network in different ways, ITW wanted to know which
devices were infected, poorly configured or needed patches.
For the vulnerability assessments, after a three month review of
nearly ten different vulnerability scanning vendors, Anton selected
Beyond-IP – a vulnerability scanning tool that is now available
through CDW.
Beyond-IP automates vulnerability testing by locating and exposing
security vulnerabilities in hosts and corporate networks, and checks
systems for the possibility of hostile external attacks for both
exposed and private LAN/WAN’s.
THE PROCESS
Even before selecting the vulnerability scanning software, Anton
knew they’d find vulnerabilities. Marc Palano and Jerry Irvine,
project managers from Prescient Development, ITW’s outsourced
IT services vendor, constructed a comprehensive remediation based
on the following four-step vulnerability management process.
• Discover and Audit: What is our current state of network
security? What are our vulnerabilities? What is the baseline that
we need to improve?
• Prioritize: What are the high risk vulnerabilities?
• Remediate: Fix the high risk vulnerabilities and eliminate
or control the root cause of these vulnerabilities and most of the
low risk vulnerabilities will also disappear.
• Maintain and Monitor: Utilize regular scans to enforce policy
and understand the state of our network security as it relates to
evolving security threats. How do we know we are secure? How do
we know that we are doing a good job? How do we know that our outsourced
team is doing what they say they are doing?
To get the business units to accept this policy, Palano and Irvine
spent extra time explaining the new security policy to the ITW business
units. According to Irvine, “we explained that we would be
performing IT systems vulnerability testing as part of an internal
controls initiative and that we had specifically selected Beyond-IP
because it would cause no disruption to their systems and required
no installation of any new software on their systems.”
Most importantly, Palano and Irvine spent many hours reassuring
Business Unit Management that at no time would any of their data
be read, altered or copied by this application.
ITW manages the vulnerability scanning over its VPN from within
its own NOC (network operations center), minimizing travel or shipment
of devices to each location.
“Since each business unit has a different network infrastructure,
we scan across all operating systems including Windows, Novell,
and multiple versions of UNIX,” said Palano. “And we
also do a full system vulnerability scan across all network devices
such as firewalls, routers, switches, in addition to the servers
and PCs.
MOUNTAINS OF VULNERABILITY DATA
The first series of scans looked at nearly 10,000 nodes. Anton
admits that even though they anticipated extensive data from the
scans, they were not fully prepared for the volume of data generated
by the first vulnerability audit. The automated scanning tool ran
thousands of test categories on each node.
The results of the first scans showed all the assets that exist
on the network plus the kind of information that could be obtained
by an intruder targeting the network. In addition, all vulnerabilities
were ranked by risk level, and every host affected by that vulnerability
was listed and prioritized by severity.
“Instead of reviewing mountains of paper to prioritize these
vulnerabilities, ITW, Prescient and Beyond-IP built a web-based
portal that allows business units to view their scans, understand
the severity and priority of vulnerabilities, track remediation
projects and review differential data to compare their current security
posture to past security readiness,” said Anton.
The portal also describes each vulnerability — its possible
impact on the network, and information on remediation. According
to Anton, “each business unit can now monitor and track their
security projects and receive recommendations for best remediation
practices.” Corporate management uses the portal to track
and oversee business unit compliance with the security policy.
REMEDIATION WITHIN 20 DAYS
As written, ITW’s security policy states that when vulnerabilities
are discovered in the corporate network, these vulnerabilities must
be addressed within 20 business days. This same 20-day policy applies
to all the business units as well.
Once the business unit has addressed high-risk vulnerabilities,
they are required to contact ITW Corporate IT to request a follow-up
or differential scan for confirmation of remediation.
ITW also provides courtesy scanning if a business unit is installing
a new network device (i.e. firewall, router, switch, server, etc.)
and wants confirmation of proper configuration. Business units can
also request recommendations and help managing their internal patch
management and virus scanning processes. This could include the
installation of Microsoft SUS (Software Update Services), configuration
of an enterprise antivirus management console, and other tools.
Looking back, Anton believes a consistent and measurable security
standard has positively impacted the company. “At first, the
enormity of the baseline vulnerability data was daunting. Once you
begin auditing, fixing problems and enforcing policy on a regular
basis, the light at the end of the tunnel appears very quickly.”
Anton believes in the power of information. He knows that the byproduct
of this scanning process is that he can clearly demonstrate security
improvements over time. “I now have historical records of
scans, problems fixed and how quickly they were fixed. I can show
the executive team what we’re doing and how fast we’re
responding to threats. I know someday this information will be useful
to our audit group.”
Because of these processes, ITW has seen a massive reduction in
attacks on its network and by enforcing these policies believes
it has found a way to stay ahead of the vulnerabilities in its 650
different business units.
TAKE AWAYS
Evaluating remote vulnerability assessment tools? Here’s
how ITW uses monthly automated vulnerability scans instead of manual
assessments as part of improving their network security posture
over time. Gary Anton, VP of Strategic Sourcing and IT for Illinois
Tool Works shares these thoughts about proactive vulnerability scanning…
1) Accept it. You will find vulnerabilities. Lots of vulnerabilities.
Use the scan results to emphasize the importance of best practices
and benchmarking against a clear standard.
2) Have a plan. Have a plan in place for addressing these vulnerabilities
before you start scanning. Don’t be overwhelmed by the initial
volume of vulnerabilities you discover.
3) Fix the high risk vulnerabilities first. By fixing the high risk
vulnerabilities, most of your minor vulnerabilities should disappear.
4) Keep it simple. Nothing will hinder your progress faster than
interrupting the people you are trying to help. Let everyone know
the benefits of improved security and how you will minimize issues
on their internal network.
5) Be proactive. A manual scan is obsolete before it is even completed.
Automated scans are inexpensive and give you near real time assessments
of your network security.
6) Communicate. Distribute regular brief updates that show how your
risk exposure has improved over time. Try to keep these updates
to one page or less.
7) Keep it inside. Your vulnerability data should never leave your
network. Don’t trust it with a consultant or a vendor.
8) Enforce a remediation plan. Have a plan in place and work to
enforce that plan once vulnerabilities are found.
Reprinted with permission of CDW and http://www.biztechmagazine.com
|
